General

  • Target

    Discord-Raid-Tool-Box-main.zip

  • Size

    34KB

  • Sample

    240804-z7n75s1amf

  • MD5

    122b408957627df7b1592b0bd391c82e

  • SHA1

    cd6dddcd14662acc98bb702f6488ee1ccc7c1879

  • SHA256

    d633cf3249a08f878a33ef419131e8affd85600923170109317906cefeb1e62f

  • SHA512

    a65e29079b0ecae9ed89b2d01c11c05a5e53d7feadeff8442ea78b7159ffe108614ab4d80f3da485a8a5aa254f2215badfe69004dec59cdcfe4ce1777ab4f10a

  • SSDEEP

    768:G6p4oc5XfYhNG7Jp6xjXBetoNd2Oyp6ZUeASJCL16J8ihDi2dO6sMj:GATsXfbp6NXBba6ZUe9JCh6Jh4sOnMj

Malware Config

Targets

    • Target

      Discord-Raid-Tool-Box-main/PussyKiller.exe

    • Size

      74KB

    • MD5

      7acd7ca811c678a92d62d556cae858dc

    • SHA1

      b05d0fd47d2d905234db53614f725e3744c93b3e

    • SHA256

      736f8b467d09e4805d336c56b49ec183355dc433e04b93904d2e8d5876d5b9de

    • SHA512

      24fe70950fc092d9de383f5c80c70bdc4bd5e342b927e2fb495752e0036c3d2eb0547f60467ef5019a686fffd2f8057105d13dd566172f9438ffe4434748166b

    • SSDEEP

      1536:rNtW7bvrmSbUMiuidaw6v3ZfXR6/A8Id0FWGV09auvIUxjFxtbm:rzTyXRKA8Iwg9auvIUhFxty

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • UAC bypass

    • Disables RegEdit via registry modification

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks